All about Internet Relay Chat

Category Archives: Botnets/DDoS

“I am writing to this list because I no longer know where to turn” admin Anthony from Ablenet started his email to the full-disclosure list. “Over the course of the past 2 to three weeks I have watched my services on the Internet become systematically blocked and redirected by no less than 3 major isps in their efforts to stop botnets from connecting to IRC.”

What happened was that three major ISPs (TimeWarner/AOL, Verizon and Cox) had set the DNS of the servers from Ablenet to resolve to their alternative IRCd instead of the actual IP, resulting in the users being redirected to the ISPs IRCd. Once connected to this IRCd they were being directed into a channel, where they would be presented by a list of commands intended to remove zombie software. For many years IRC was a popular place for dronerunners to control and command their dronenet from.

“Because we were hit by 3 major ISPs at the same time,” Anthony starts explaining to IRC-Junkie in a reaction, “… for a period of approximately one month, we have seemingly lost approximately 75% of our user base, who were either directly affected or peripherally affected and followed their communities to an unaffected network.

The action did not remained restricted to this relatively small network however, also 5 servers from EFnet were caught. One of them is irc.vel.net, with Exstatica as its admin. He explained how he discovered his server was involved as well. “Yesterday July 22nd, The admin-body discovered that a handful of EFNet servers have been “juped”. Not only have they taken the irc record, but they’ve also hijacked the SOA and NS records too.”

Anthony tried to contact the ISPs in question but got either no reply at all, or a standard message that resources were too limited to reply. Also Exstatica tried to contact the ISPs; “Yes I’ve tried, I’ve contacted the abuse team at cox, they’ve requested logs, which I provided in the first email, and then gave me a canned response that I need to check my computer for viruses.”

Anthony stressed the character of his network was far from being a rogue one that hosted drone networks. “Our network has always been one that relied on their communities, under the premise that people come to irc to share ideas, meet new people and to gather in their own communities. We were never big on the notions of unnatural expansion, inflated, false communities or hierarchies. We’re tough on botnets and non-conducive to file sharing… We have (had?) literary communities, fan communities, hobbyists, gamers, etc; pretty much running the gamut of personalities.”

Both Anthony and Exstatica have considered legal actions. But as there is no monetary loss and it involves only a violation of the RFC specifications such an action will most likely not be very fruitful.

For Anthony and Exstatica there is one reason left to fight back however, stand for Net neutrality. Anthony: “I also hope that our representatives do something, regarding Net Neutrality, to prevent the monopolization of the Internet. This could in some ways be compared to racketeering or a corporate equivalent of China’s restriction on the Internet. I firmly believe this to be a constitutional violation to our right of free speech and if we do not act now, when do we act? When will it be too late?”

Reviewing the move from the ISPs, how many drones could have been caught is unknown, it can not be that much as most of the zombie software has since moved from IRC to use P2P and HTTP. Also the text commands can either be given in a private message, channel message or topic. Prefixes range from . to , to & and can be virtually anything, including the word of the command itself, remove, uninstall, etc.

Admins advice users to use alternative DNS servers if they experience these problems when connecting to their IRC network. Since the media attention on this issue started yesterday several DNS records have been restored, of course without an explanation why they have been hijacked in the first place.

Over the past few years this has happened a few times before, but never ona scale as this move, and not involving networks as large as EFnet’s.

Nessun, owner of the Rizon IRC network, has been named before on this website as source of DDoS attacks. IRC-Junkie was unaware that one of the three suspects reported about in the “FBI Arrests Three Botherders” article written 10 days ago, namely Jason Michael Downey, is in fact the same Nessun.

Downey, 24, has pleaded guilty for operating a botnet and computer fraud. Asking his reasons behind performing DDoS attacks U.S. District Judge Nancy G. Edmunds heard his reply: “I was doing it because I could, more than anything,” Downey replied. “It was a dumb thing to do.”

With a plea agreement he can face up to 24 months in prison and pay a $40,000 fine. A total of $21,000 may have to be paid to cover costs resulted from his attacks.

With the arrest of three suspect botherders the FBI discovered botnets that consist of about a million infected machines worldwide. Amongst the charges for the three are spamming and infecting IT systems at hospitals.

The operation took place under the name “Operation Bot Roast”, which is an on-going operation to hunt down botnets and their owners.

Among the three men arrested is Robert Soloway from Seattle, a long time spam king. Another man, Downey, controlled his botnet consisting of Agobot infected machines from an IRC server and performed DDoS attacks.

The FBI will try and warn the 1 million owners of infected machines and point them to safe computing practices.

Although botnet masters increasingly use platforms other then IRC to command their zombie networks, it remains the biggest platform in use to date.

These botnets are being used by malicious users to perform DDoS attacks, collect personal data such as banking info and creditcard details and for example to use as a base to send spam. The machines used in the botnets are usually compromised home PC’s.

About 75% of the software used in botnets consists of Sdbot and Gaobot. “This dominance is not so much due to any special features of Gaobot or Sdbot, but simply because their code is much more widely available on the Internet. This means that any criminals that want to make a bot can simply base it on the source code of these threats, making any modifications they choose. Essentially, this saves them a lot of work,” said Luis Corrons, technical director at PandaLabs.

IRC networks have been very active in hunting and shutting down botnets. Also security software such as firewalls increasingly warn users for IRC traffic, adding to the chance that the compromised machine is being cleaned. To prevent detection, the botnets increasingly are making use of HTTP, normal website traffic which is far less being looked suspiciously at. Also peer-to-peer type of networks are now in use.

“Control through IRC is useful for controlling isolated computers. However, this system is not so useful when it comes to botnets. By using HTTP, bot herders can control many more computers at the same time, and can even see when one of them is online or if the commands have been executed correctly,” Corrons continued.

Bringing criminals to justice takes time, a lot of time. Back in October 2004 we reported about the arrest of Fyle/Anatoly, who was causing havoc on the Darkmyst network, as well as many others.

Fyle/Anatoly, named Richard C. Honour of Kenmore, Washington and 30-years-old, was arrested in suspicion of writing viruses which were being spread by trying to trick IRC users in using malicious links. A total of 21 networks had to deal with it and prevent innocent users from being infected.

The goal of the virus was to collect personal information in order to abuse for financial gain.

Honour has pleaded guilty for the count of spreading viruses.

He will hear his sentence in May, and if convicted can get up to 5 years of jail and a $250,000 fine.